libmbedtls: use 'unsafe' algorithm for mbedtls_mpi_exp_mod()

Modular exponentiation in MBed TLS v3.6.2 comes in two flavors: an
'unsafe' one, mbedtls_mpi_exp_mod_unsafe(), and a 'safe' one called
mbedtls_mpi_exp_mod(). Here safe/unsafe refers to resistance against
timing attacks (the safe variant is constant-time and usually much
slower). The reason for having the two variants is that the fastest
may be used with public keys while the slowest should be used with
private keys.

The problem with the safe variant which is now the default is that it
introduces a large performance regression in "time xtest 4011" which
makes the QEMUv7 tests in particular impractical:

                        QEMUv8      QEMUv7
3.4.0 (OP-TEE 4.2.0)    0m 0.85s    0m 14.29s
3.6.2 w/o this commit   0m 21.83s   8m 3.04s
3.6.2 w/  this commit   0m 0.93s    0m 14.34s

Prior to v3.6.0, MBed TLS had no constant time implementation.

This commit switches mbedtls_mpi_exp_mod() to the unsafe variant for
better performance. It remains to be seen if the safe/unsafe variants
could be used more precisely in OP-TEE.

Link: https://optee.readthedocs.io/en/latest/building/devices/qemu.html#qemu-v7 [1]
Link: Mbed-TLS/mbedtls@1ba4058
Signed-off-by: Jerome Forissier <[email protected]>

lib/libmbedtls/mbedtls/library/bignum.c

@@ -1846,7 +1846,7 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
                         const mbedtls_mpi *E, const mbedtls_mpi *N,
                         mbedtls_mpi *prec_RR)
 {
-    return mbedtls_mpi_exp_mod_optionally_safe(X, A, E, MBEDTLS_MPI_IS_SECRET, N, prec_RR);
+    return mbedtls_mpi_exp_mod_unsafe(X, A, E, N, prec_RR);
 }
 
 int mbedtls_mpi_exp_mod_unsafe(mbedtls_mpi *X, const mbedtls_mpi *A,